Kumar Chandramoulie of AmerisourceBergen on Cybersecurity Risk and Effectiveness

Kumar Chandramoulie
EPISODE 7: THINK BAD, DO GOOD

Kumar Chandramoulie of AmerisourceBergen on Cybersecurity Risk and Effectiveness

Jonathan Reiber, Senior Director for Cybersecurity Strategy and Policy, AttackIQ

Guest: Kumar Chandramoulie

Kumar Chandramoulie is no stranger to challenge. As Vice President, Cyberdefense, Data, and Threat Management at AmerisourceBergen, Chandramoulie is responsible for planning his firm’s approach to cybersecurity risk management across its global operations. This is a vital mission: AmerisourceBergen provides pharmaceutical products, value-driving services, and business solutions that improve access to care. Global manufacturers depend on AmerisourceBergen for services that drive commercial success for their products. Tens of thousands of healthcare providers, veterinary practices, and livestock producers trust AmerisourceBergen as their partner in the pharmaceutical supply chain. Data underpins the entire process, and Kumar is responsible for securing the firm’s networks across multiple borders, businesses, and platforms. 

He uses MITRE ATT&CK and AttackIQ to achieve operational effectiveness and help his team do the best job they can. In this episode, Jonathan and Kumar discuss his approach to cybersecurity and how MITRE ATT&CK and AttackIQ help him secure AmerisourceBergen’s data. They talk about Kumar’s process of building a cybersecurity system, why MITRE ATT&CK is so useful for AmerisourceBergen’s security effectiveness, and how performance data helps AmerisourceBergen leadership understand their cybersecurity.

For more about how AmerisourceBergen uses MITRE ATT&CK and AttackIQ, you can dive into this case study here.

Kumar Chandramoulie

Kumar Chandramoulie

Kumar Chandramoulie is Vice President, Cyberdefense, Data, and Threat Management at AmerisourceBergen. He has a global responsibility for securing high value assets and functions at his firm, a Fortune 10 company and a global leader in shaping up the healthcare delivery industry. 

In his current role he has built a 24/7 cyber command center operations, incident response teams, cyber product engineering team, digital forensics, threat intelligence and hunting team. He drives application and infrastructure vulnerability management programs to move the organization to proactively manage threats across the organization. Kumar initially joined AmerisourceBergen in 2017 as a head of the cybersecurity division to build the cybersecurity program.His hands-on experience with security tools has helped him manage multiple teams, architect and deliver complex IT deployments for projects with budgets ranging from half a million to 20 million dollars. Previously, Kumar helped multiple Fortune 500 clients in the healthcare, manufacturing, oil and energy, insurance and financial sectors to develop an enterprise level security strategy, governance, security policies, IT solutions and deployments to meet growth, audit and compliance requirements. 

Kumar previously studied at California State University, Fullerton and holds a Master’s degree in Electronics and Communications Engineering along with a Bachelor’s degree in Electrical Power Engineering. Kumar also holds CISSP, CISM and CCSK certifications.


Transcript

Jonathan Reiber:
Greetings, okay. Hello, everyone, and welcome to, I think it’s our seventh episode of Think Bad, Do Good Podcast here at AttackIQ, and we’re extremely pleased to have Kumar Chandramoulie, who is the senior director for cyberthreat intelligence. I’ve already buggered that up. The senior director for global cyberthreat and vulnerability management at AmerisourceBergen. He’s joining us today as a customer of ours. So I’m extra grateful for him coming on board because normally, we’re helping him. And today he’s coming on the show, which is really great. So thank you, Kumar, for joining.

Kumar Chandramoulie:
Hey, Jon. Absolutely. I’m glad and excited to be here.

Jonathan:
Great. And today Kumar’s going to talk about his role and what he’s learned as a senior director in cybersecurity at AmerisourceBergen and, really, in his career working in cybersecurity.

So this is a podcast for lessons for chief information security officers and senior leaders working in cybersecurity. And we’re also going to talk a little bit about how AttackIQ’s Security Optimization Platform helps him. But he’s got some really good stories about nation-state actors and what it’s like to manage cybersecurity in a large company. So, Kumar, first of all, where are you today?

Kumar:
I am here in the great state of Texas in the Dallas area. Northern side of Dallas, if any one of you guys are from Texas. So yeah, it’s beautiful weather out there. It’s not that hot. So we are blessed this year to have nice, pleasant weather, compared to hot weather. So I have no complaints.

Jonathan:
Good. That’s awesome. And Kumar studied at UCLA for his undergraduate degree, so he has experience in California. So you’re lucky you’ve dodged the fire season since leaving California.

Kumar:
Yeah. I’ve been hearing the news and the pictures, really sad to see the smoke and the air quality the past couple of months. So good to know it’s going down. But again, I heard that it got up again back in Napa yesterday. So really hoping that the winter coming in hopefully shuts down all of that and gives a break for you guys and everybody in California.

Jonathan:
Yeah, thank you. I like to say that cybersecurity doesn’t exist in a vacuum. And with the fire season coupled with coronavirus coupled with political instability, right now, as a country, we obviously face a number of different pressures on us. And so that’s a sort of strategic environment in which we gather. And maybe that’s something we could talk about, although I know you’re going to go a lot much more into management and looking at threat behaviors. But my sense is that the United States is more vulnerable now than we have been in the past to cyberattacks of all kinds.

Kumar, tell us a little bit about your role and what you do in AmerisourceBergen.

Kumar:
Yeah, so, absolutely. So, at AmerisourceBergen, we are in the business of pharma drug distribution. So we operate in 50 countries, and our core is to deliver drugs in a timely fashion. So for me, it’s more about purpose-driven leadership and purpose-driven job, if you will. These are critical life-saving drugs. And this is the core of how we support the community and the hospital system and the whole healthcare system.

So I take pride in working in that space. And, as much as it’s very critical and important, it comes with the challenge of cyberattacks, as imminent as it is, right. So that’s what I like about being in this space, and also helping something close to can deliver value. And I can actually see that we are helping the healthcare system, right.

So that’s how the business feeds into what I like to do as well. Specifically, with all the functions that’s involved in delivering the drugs, it comes with a lot of areas that we need to pay attention to, and we could be in a cyberattack anywhere, anytime. So what I do for them is to help build a program to have a good visibility into everything, across borders, across platform technologies, across business, third party, fourth party, if you will, trying to get a visibility, understand the risks that’s involved and build a program to support towards those attacks, and help the business be secure. And our customers feel secure. And they feel confident in doing business with us, right.

So primarily, I help build those programs, and I call it an intel-driven cyberprogram. I like to do a program based on more intel, because the cyberattacks are very dynamic.

You can’t build a wall. You could to some extent, you should. But that should not be the one strategy. You should try intel. You should focus on how yearly or preemptive that you get the intel by your various sources, and then act upon it and get ahead of the curve and get ahead of the attackers before they come in. Close your gaps. So our program is purely based on every single—

Jonathan:
Do you use MITRE ATT&CK? Is MITRE ATT&CK an important part of what you’re doing?

Kumar:
Oh, yeah, absolutely. Absolutely. One of the frameworks.

Jonathan:
Kumar, how do you use the MITRE ATT&CK framework?

Kumar:
Yeah, no, a great question. MITRE ATT&CK is one of the frameworks, if you will, from an intel and hunting standpoint. For compliance, there’s a lot more regulations that people follow. For cyber, it’s a growing area. It encompasses everything.

Now, you need to have a framework to go after and start building a program and see how effective you are. MITRE ATT&CK is fantastic. It lays out multiple layers how an attacker goes through from innovation, to exfiltration, going to the left recon, the initial attack faces. It gives you every single technology aspect to it. And our hunting teams actually love it because they take it and they test it. And they go after week saying, “Okay, this week, we’re going to focus on just the network innovation, right?”

Jonathan:
Yeah.

Kumar:
And then they go work on it. Some weeks, they just focus on privilege escalation, right? So maybe focus on lateral movement. So MITRE ATT&CK is great at that perspective. It also gives you a layered approach to hunting and is also able to track it. So if you’re using MITRE, or if you do not know MITRE, I think it’s the right time to get back and to look into the MITRE framework. It’s constantly growing, a lot of people contribute towards that. And I also see nowadays, a lot of tools are taking that as an input and throwing that output into that framework bucket, which is fantastic also.

Jonathan:
That’s awesome. And tell us about the size of your security team and how big each component breaks down in terms of personnel.

Kumar:
Yeah, so ours is broken down into multiple towers, to provide that layered cyber defense, if you will. The bread and butter is our 24/7 cyber ops. It’s a three-shift system, and it’s worked globally. These guys actually look at the attacks that come to us in every single minute, every single second, right? And that’s our last line of defense.

Now, this team feeds to multiple other teams we have. One of them is the special ops, we call it. That team focuses on waiting for your threat intelligence. We get multiple sources, but you have to be able to consume it and give it to the other teams in a more consumable fashion. Otherwise, there’s so much information you can swim, actually.

So that’s what these guys do. They write the intel, they make it 11 StellarPeer group industry or relevant to pharma industry or healthcare industry. Take those provided to whoever the consumers are to fix those problems. They also do hunting. There are a lot of attacks which go unnoticed because of how immature systems are still, that, is in human intelligence, too, required. Advanced threats don’t come up with missiles. They don’t land in and say, “hey, I’m here.” So you have to have that human intelligence to go, “Okay. I see a small portion of this execution of the CLI.” And then go back and look at those processes and see what’s going on. That’s what these teams do.

We also have a forensics team. They work on post forensics, help with investigations and all of that, and also memory forensics. So some of the times when we look at the triage packets, you have to look a lot more to see from a technology perspective, is it something you picked? There’s some new patterns that’s coming in, is it a new type of attack? We don’t know. But that’s where the forensics will provide you. So that’s another—

Jonathan:
Who have you found as your biggest user of the MITRE ATT&CK framework? Is it the intelligence team?

Kumar:
The intel-hunting team. Yep, exactly. We also use a little bit similar to the kill chain. Found that a lot of you guys already have that, and I’m sure that these folks who are listening in also know that.

Jonathan:
Yeah, of course.

Kumar:
Our instant response is we break it into the kill chain model. Because the critical threats are on the right side, and you work your way towards the left. The right side being that your data exfiltration stuff, and execution will be on the right side, and then as you move to the left, you will have a lot more initial hold and recon. Those would be the left. It could be a lot of noise in that space. You still have to look at them. But the critical stuff on the right side, and then you work your way to the left. So we use a different framework for the intel response on the cyber command center.

Jonathan:
I’m speculating, but could you talk a little bit about how you align the most important incidents on the right to your core missions as a company, obviously without disclosing anything that would make you more vulnerable from a security standpoint, but I think that sort of asset identification, aligning assets, and teams to defend core missions is a really important part of cybersecurity planning.

Kumar:
Yeah, no, absolutely. Because every system doesn’t have the same business priority, criticality of data sensitivity. So you have to know when an incident happens, or an activity happens in any type of system, you should also have information to go with that. It’s actionable intelligence right [crosstalk 00:22:21] the event. But it also should come with the fact that, hey, this is part of your core systems. It’s a highly critical system, that means the alert goes really high. But if it’s an internal facing system, then probably it’s a less priority than the other ones. So that’s how we built our response timeframes and also teams to look at.

So yeah, every organization, when they go through this maturity, the more value you will find when leaving the identify–pre-identify if you’re an asset priority, business physicality, and data sensitivity. So your actions and your playbooks will play accordingly. If it’s a PHI system, the responses are different. If it’s a GDPR system, then you think about law enforcement ICO, so, who do we respond to, how many records if it gets exposed for PAI or PHI? Who should be involved? Should you involve your internal legal, or intel to look outside? So there are a lot of those things that will come once you identify what is this data sensitivity of that system, then you match playbooks to run with it, right? That’s how you build your program.

Jonathan:
That’s awesome. In a minute I want to turn to some of your big lessons learned for folks in cybersecurity, because you’re obviously you’ve got a very mature organization and an extensive career in the space. But before pivoting to that, I want to go from looking at your mission essential functions and the critical assets that you have to defend and different regulations. And I want to think about how you use breach and attack simulation and MITRE ATT&CK to solve these problems and how AttackIQ security optimization platform plus MITRE ATT&CK plus any red team and your purple team and functions help you drive towards efficiency.

Maybe we’ll start with MITRE ATT&CK. How has it helped your security teams to do their jobs better to defend their most important assets?

Kumar:
Yeah, no, actually, this is important and it will become vital for most organizations. For me, it is vital to have the testing layer, right? Your program could be at any level of maturity. But again, you’ve got to know whatever level you are. You have to assess yourself.

The only way, in the past, or even now, I would say you do that in security spaces is during a routine, right? But in order to do routine, most of the time it’s been done or performed once in a year, or maybe sometimes twice. Depends on the organization. But predominantly, 80, 90 percent, I’ve seen this once in a year, right? And some organizations do more. But now, that’s only once in a year, but then you’re adopting a lot more tools, a lot more capabilities throughout the year as you go by. And your process and your people, not just technology. You have to look at it holistically.

That’s where the breach and attack simulation is a fresh breath of air. You can do that on a weekly basis, which is what we do. So, not only do you turn on a configuration you want to see, “Hey, I just turned on two settings in one of the EDR solutions.” You don’t want to go call our team to come and do that. And you want to be able to quickly check and see if it’s making sense. If it really catches an attack, does it give you a detection or prevention?

You can do that with your breach and attack simulation. That’s where it’s more vital to have and testing alongside in anything that you do. And the breach and attack simulation, especially AttackIQ, has provided us a platform to do that on a consistent basis.

And it’s able to rationalize up tool sets, the efficiency of the tools. Because when you go to the market space, you can buy an EDR tool, you can buy an AB tool. You can use an IR automation tool. If you look at their capability chart, they all say the same thing, right? But how do you know who’s doing a better job than the other? There’s no way you can test the dynamic cyberattacks by yourself, you cannot simulate that.

And that’s one of the reasons why this is very important that someone is able to give you the platform like AttackIQ has given us for us to go test quickly. And then it shows us the response time. From a technology standpoint, did it pick or did not pick? Did it pick, how early did it pick? Did it miss it, okay it missed it. Now, moving to the people side, it also tells you how long it took for some type of remediation happened, right? It tells you the time that it came up. And when did you respond? Process-wise, we take these two and then build and see, what processes did we fail? Or, did you do well, right? And then go back and fix them ourselves.

So you’re going to constantly test your defense, it’s very, very, very important. And, for me, in any organization or trying to build a cyberprogram, again, as I said earlier, if you are in the earlier stages, to better your progress towards maturity, adjusting is essential. I just forwarded that platform for us.

Jonathan:
How have you found the data that’s been generated through the platform? Have you been able to measure an improvement in your efficiency and effectiveness of your security program so far? Or is that a place you’re trying to get to?

Kumar:
Absolutely. It has already started providing impacts for us in multiple ways. Normally, when you put some tools, we take some time to see it. Some tools are pretty quick. Like, right away you see it because you had enough pinpoints. And AttackIQ is one of them there. We know our pinpoints. How do we test our tools? Efficacy was always a question, especially dynamic tests. How do you test them, right? So when we bought this tool, it readily produced help in many ways. But I’ll say, maybe high-level in two or three areas, right?

The first one is tool efficiency. So we had multiple tools, and then you run an attack and then see which tool did best. And then you’re able to take it and go to your firewall team or your AV team or EDR team to make sure that they tune to the gaps that we identify. So that’s fantastic. We increase our defense by 20, 30, 40 percent and slowly improve, right?

Every time you run, you find something then you go fix it, then you run it again. Then you go up like, okay, 25, 30 percent of it is fixed. It’s still there, things are not fixed, then you go fix it. And then we go through that.

Now, the next one is very important. People struggle now with the millions of tools in the same space, if you take EDR there are hundreds of tools. If you take AV, hundreds of tools. If you look for a SOAR platform, there are hundreds of tools, right? How do you select them? And especially in this space and stuff. Now we use AttackIQ to test some of our tool selection as well. It was able to give us a perfect platform to provide us with good input on what is happening. And we are able to pick the right tool without just looking at the paper, but we’re able to have a real codification of, “Yeah, hey, this tool did really pick up all those innovations and attacks. CLA attacks, PowerShell, or fireless malware. You name all the attacks we got. This one did it. Let’s go with this tool.” Right?

Jonathan:
Yeah.

Kumar:
That’s fantastic.

Jonathan:
Yeah. That’s awesome. It’s like a test drive. It allows you to do a measured test drive of a capability.

Kumar:
Yeah, exactly. So breach and attack simulation definitely gave those perspectives for us. But everything else, like I talked about, is hunting and reporting. And we do it in two ways. One, technology-based testing. And then threat-actor-based testing. Meaning, we’ll pick a firewall for this week, we’ll run simulations of all the attacks that will be happening at the network layer. And then we just go at one particular tool and run it and fix the tool.

The other side is threat-actor-based. You could have nation-state attackers have APT 39, 34, 35, you pick those, according to the timeframes. Like, at certain times, you’ve seen there are some particular nation-state attacks that are very high during the time you get the intel. So then we correlate that with all threat actors that are more relevant to that particular geography. And also, are they going against pharma or healthcare? So we do all this mapping, the intel team does all the mapping, and then we pick those four or five and run the TTPs based on those threat actors using the AttackIQ platform.

I know that one, just to complete the thought, we also get a threat-actor-centric view, like how you have a compliance-centric view. This is more and more critical. You get a threat-actor-centric view, and then you close the gap for those threat actors there.

Jonathan:
Yeah, it’s an interesting point, right. So if you have strategic requirements, you can imagine during a period of geopolitical instability, in which there’s tensions between one after another, the one period I think about is 2012 with Iran. When we have them attacking DDoS in the financial sector, the attack on the bridge in New York, when they broke into an industrial control. So that’s creative escalating tensions. But if you’ve got your annual compliance audit, or whatever it is, you sign your annual compliance audit. You could run a test to determine whether or not those particular sections are functioning in the way that they should. And that particular slice of your set of requirements is working the way it is. Or you could go through a particular technology, like I’m going to test all my EDR right now or I’m going to test all this and that. And then you can look at firewall configurations and which firewalls are working best. Is that right?

Kumar:
Yeah, it is, actually. It’s spot on. Yeah.

Jonathan:
Now, what I wanted to ask you a second ago is whether under the extraordinary onset of the coronavirus, for your company in particular which deals with pharma, obviously, we don’t have a vaccine yet. So you could end up in a position where you’re delivering vaccines in a pretty timely manner. So that’s a question to come back to. But the first one is, have you seen an uptake in certain kinds of attacks under the coronavirus?

Kumar:
Yeah. So, you would think, the world or the globe is under a pandemic and people are struggling in different ways. 2020 has been a very tough year across the globe, everybody is going through a lot of crises. And good things also came out of that, but a lot happened that way. But you would think the attackers are taking the pandemic to slow down on things. No. And what we saw was, it’s not surprising, but then to see that in reality, it has duly upticked. And, from the get go, companies and everybody was working from home. And this was a shutdown. And attackers don’t sleep, and they actually got it. “This is our opportunity.” And they started to set out.

The first initial thing we saw was the corona map came out to track which country is having more attacks, how many people are alive, how many are recovering.

Yeah, you would have expected the attackers to take a break, right? But that did not happen. There was uptick on the attacks that we’ve seen. Especially, you probably all have seen the initial ones, there are multiple approved sites producing a map of coronavirus across the globe. How many are affected, how many are recovering. But then these guys are developing domains. And then it’s all phishing domains. And then we started to see a lot more spear phishing that comes from these attackers with those links to go click, and then they were dropping email chat and malwares. And all of this comes through email. We see—

Jonathan:
So they’re — they are contact tracing or mapping the coronavirus as a phishing tool?

Kumar:
Yep, in those domains which are hosting them. So you are very interested to see what’s happening. And then you click all those links to see, hey, which countries are affected more and which county? How does it affect me? Everybody was so curious. During the March and April timeframe, we’ve seen this skyrocket. And we have to catch and block at the email gateway. So that’s when we realized, okay, so this is going to be interesting. And then—

Jonathan:
In other words, the attackers were using information about corona, sending phishing emails to people in your company, knowing that people at AmerisourceBergen would be more interested in coronavirus data. So you had to be on the watch for the kind of malware that they might be distributing.

Kumar:
Yep, exactly.

Jonathan:
You got to tip your hat to them. That’s very targeted attack techniques.

Kumar:
Yeah, they always have all the time on hand. And then it doesn’t matter whether the world is going through a pandemic or doing well. They are on a mission to do what they’re supposed to do. So you’re going to be prepared for that. And going to continue like any of your businesses, you may be looking for some products to get shipped during coronavirus they will make every opportunity. And especially with the drugs coming in, they are going to send lots of these fake messages to all your home emails and say, “Hey, drugs are available. Go click that.” So, with personal emails, be careful. It’s been sent to every enterprise. But that’s true, it’s more relevant to every single day that goes by. So don’t click anything again, and you’ll see a lot more they’re not going to stop. So at every opportunity, they will be at it.

Jonathan:
That gets to a really good part of human psychology. It’s like, we need our drugs. The thing we’re most nervous about is our ability to withstand the pandemic. So you could see that if they knew you were doing a shipment of hand sanitizer or certain kinds of foods that you needed for your health, they would start manipulating health data in that way. That’s a really good point.

Kumar:
Yeah. And you’ve got to be very careful. Yeah. Always watchful, it’s tough, but you have to be.

Jonathan:
That’s a good pivot point, I think, for you to offer some lessons learned from your expertise. How long have you been doing cybersecurity for?

Kumar:
Gosh, I mean, anytime that, I know when I came out of school, it always has been security and cybersecurity. Although the names have changed in different ways, but it’s always about protecting data. I’m always interested in looking and thinking strategically about the market trend. When it came out, security was not a high emphasis. But that’s what I like to do and I chose to do. And my thesis and everything that revolved around that start off with it, right? And then it’s grown through that.

I went through an identity phase, an access phase, then the risk management phase, some portion of an auditing phase. And solely focused on the technology portion of most of it, building solutions, deploying them, managing programs for Fortune top 10, 50, 100 organizations, being in the top for consulting before. So, helping a lot more organizations to transform the program in order to do better security, better access control, and also provide value to the business.

And what’s always been core to me is, how do we do everything in a more purposeful way? And we always find a way to do that. And now we are at a phase where the technology sector and space are growing fast, and the business adaptation to those, either voice control or the delivery, they are changing at the speed of the technology. But now, as a security team, you have to make sure that you protect the platform, and tell them that we will be able to secure however fast you adapt, you’ve got to be a giant in the fashion. If you do that and compare to five years, six years ago, the business folks have more of an understanding about cyberthreats than before.

So when you tell them, they come to us more compared to before. “Hey, I’m trying to adopt this, what are the security risks?” They ask that. But you can say, “These are the security risks, but within this timeframe, we can give you the platform.” So they can have peace of mind that the data is protected. I think that’s where you have to think. That’s where, from a leadership standpoint, you have to think in that way, “how can I really give them a peace of mind and enable the business more securely?” I think that will be the win for security personnel and organizations helping business. That’s what we’re focusing on.

Jonathan:
That’s awesome. How much do you communicate to your seniors and do you advise your seniors to communicate to the board or to the board in general about the notion of resilience? In other words, it’s not a question of if but when you get you were going to be attacked. And then from there, how much do you pivot to a notion of threatened form defense, to give them some assurance that you’re focusing on what matters most?

Kumar, that’s excellent. I wonder if you could talk a little bit about when you’re communicating to your board, or when your seniors are talking to the board, how much they talk about the concept of cyber resilience, which is the idea that it’s not if but when you’re going to be hacked or attacked. And from that point, do you drive them to focus on and assure them to say, “We’re going to focus on the threats that matter most?” Is that a narrative that you’re used to?

Kumar:
Yeah, yeah. And especially in our organization. Our customer confidence and data cybersecurity is very important. And it comes from the top, from the CEO, from the board to us. So there’s a good partnership. Our CSO goes to the board and talks about how well we are protected and what are the risks that we always see. Because you’ll never be fully protected in a fashion, but you have to know your risk. And if it comes, how quickly can you respond, and then how quickly you can get the business back online. That is the focus. And there is constant communication going thereafter. And you need that.

If you have that type of support from that level, then you can do your job better, especially in the security space and knowing that you’re supporting an organization in which they’re really focused on security.

Jonathan:
That’s awesome. Have you found at all that, using the MITRE ATT&CK and being able to talk about the three segments we’ve flagged earlier, we’ve got a nation-state view, we’ve got a technology view, and we’ve got a compliance requirement view. Have you found that the threat-informed defense approach helps the board understand your efficiency and effectiveness? I know that’s sort of a leading question, but I’m just trying to imagine how some of those conversations go.

Kumar:
Yeah, no. They do understand that, and we look at intel-based programs from the baseline. That’s how we built our program. So we always tie that back into the information that we have from threats and how do you resolve that, and we always combine that with the data points to look at, “this is what happened and this is what we found.” And then we drop down logs in the market space to see this exact same threat have attacked this particular sector. And they see this business is struggling, right? So you always compare so people get a perspective on what are we protecting, because in cyber, sometimes it’s difficult to quantify certain things.

And that’s when the real quantification comes into play, where we have this intel and these actions taken. And then when something happens to the market, you also have to be educated enough by looking at the intel that’s coming on the other side, and then go back and compare it on a monthly, quarterly basis. So that provides more value for yourself. So you know how best you’re operating. And then you also show that to the stakeholders, they know the investments made are actually helping protecting the organization, right?

Jonathan:
Yeah, that fact base and database analysis, I think helps everybody get a sense of, yes, Kumar has his stuff in a pile. He’s completely organized, he knows what’s going on. He’s presenting me with data, you can come back and you can be like, “Hey, this thing happened. But this is what we did. And we operated at 80 percent effectiveness, and I’ve identified how to get us to 100 percent.” And that’s just going to help people drop their blood pressure.

Kumar:
Yeah. And our CSO does a great job on putting those information back to them. So yeah, absolutely spot on. I think that’s more important to know how we’re protected. The other important thing you should not miss is telling them the real risk. If there’s anything left, you have to convey to them. That’s the core, you have to be transparent, whatever it takes. So that’s pretty important, too.

Jonathan:
That’s really… I’m not talking out of school too badly. So I had the privilege, when I served in government, of sitting in the secretary of defense and the deputy secretary of defense’s daily staff meeting in the Pentagon. And it was early in the morning, it was like eight in the morning or seven in the morning. And you’d go around the table and the chairman of joint chiefs would be there and the secretary of defense and then all the undersecretaries of defense. Now, there was this one undersecretary who I won’t name, a charming person, really, I liked her very much. And I already narrowed it down by gendering her. But she dealt with a very complicated issue. Like, it was in media every single day, it was putting pressure on the force. And every single day, she would start by saying, “Oh, it’s bad, it’s bad. It’s bad. This is the list of bad things. And I’m doing my best. And I’m trying to solve it.” And it always left the senior leader without a single ounce of confidence. There’s just no confidence that this person has.

And then you compare it with somebody who’d be like, “This is where we are in the data. This is where we are on the incident. This is what we’ve done to solve it. And this is how much is left to be done.” And then once you’ve given that sort of confident briefing and saying this is what I’ve done to conquer the problem,” then you can say, “Yes, and there’s also, I need to tell you about this other component of risk that I’m really trying to solve right now.” And that’s when you surface it for the guidance to be like, “I can’t solve this problem right now. And either I’m going to go back and work on it with my team or I could use your investment at this point.” And I think that level of performance data and analysis about what actually happened and who’s doing what is so important for creating any sense of confidence on your security team. And it sounds like you guys have gotten to that place.

Kumar:
Yeah, and you’re spot on. You rightly said, that’s how it should be. So that also helps the other thing, which is knowing your own program. The more dissection you do, you’re also understanding one program better, and you can communicate better. It’s such a good thing. So yeah, you rightly covered it.

Jonathan:
Thanks. Yeah. And I recognize I was putting words in everybody’s mouth. I know we’re running out of time. Is there anything else you want to mention before we sign off?

Kumar:
No, thanks for AttackIQ, actually. From that layer that we’ve been looking to adapt… It’s adaptability as well, right? Platform is part of that adaptability, because we always look for adaptation. It’s either you go into your disruption, anything. It should be adaptable. If it’s not adaptable, it’s not doing any good for me or any of the peers of mine who are in the commercial space trying to get this moving. So the easy adoption helped us and it helped us enable our vision that we always had. But now the tool actually fits into our strategy for doing things better. So, and thanks for having me today. I hope the folks listening and yourself got some value out of this short session.

Jonathan:
I mean, tremendous and thank you for being a customer. And thanks for coming on. I mean, our goal as a company is to help everybody through whatever stage of maturity that they’re in to make the most of that security program, to make it the most efficient, most effective, to get real insights, real decisions, or to make better decisions in real security outcomes. That’s where we want to be. And we see it as a consultative process with the platform and helping our customers who understand the practice as well or better than we do. And you know your business better than we do by far.

So I really appreciate you taking the time to talk. I think it helps other people that understand the issues and it’s great to talk to someone who’s been so successful in their career. Everyone’s, I’m sure going, to be really glad to learn from you.

Kumar:
That’s great. Thank you, man. Absolutely.